Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Windows OpenType Font - File Format DoS Exploit

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 11 Views

Windows OpenType Font - File Format Denial of Service (DoS) Exploit. Zero day vulnerability exists in kernel-mode library ATMFD.DLL, that using by OS for working with PostScript-based OpenType font files (.OTF). Vulnerable versions of Windows/ATMFD.DLL: all, x32 and x64. Opening malicious .OTF font file causes a BSoD on NT 5.x and 100% CPU overage on NT 6.x. To trigger vulnerability -- double click on CFF_Type-1_0x0d_expl.otf. This vulnerability was found with MsFontsFuzz fuzzer

Code

                                                ************************************************************************

  OpenType font file format remote (client-side) DoS exploit for Windows

  By Oleksiuk Dmytro (aka Cr4sh)
  http://twitter.com/d_olex
  http://blog.cr4.sh
  mailto:[email protected]
  
************************************************************************

INFO:

Zero day vulnerability exists in kernel-mode library ATMFD.DLL, that using by OS for working with PostScript-based OpenType font files (.OTF)

Vulnerable versions of Windows/ATMFD.DLL: all, x32 and x64.

Opening malicious .OTF font file, that can be embedded in Microsoft Office document or web-page, causes a BSoD on NT 5.x (Windows XP, Server 2003) and 100% CPU overage on NT 6.x (Vista, 7, Server 2008).

To trigger vulnerability -- double click on CFF_Type-1_0x0d_expl.otf

The point of vulnerability -- invalid decoding of 0x0d byte in the Type 2 Charstring Format Glyph, that drops ATMFD.DLL code into the infinite loop.

"good" glyph representation:

  [68]={
    95 112 99 65 61 vhcurveto
    endchar
  }
  
Malicious glyph representation:

  [68]={
    95 112 99 65 reserved13
    vhcurveto
    endchar
  }
  
This vulnerability was found with MsFontsFuzz fuzzer, that can be downloaded on https://github.com/Cr4sh/MsFontsFuzz

More detailed vulnerability analysis can be found at http://blog.cr4.sh/2012/06/0day-windows.html (russian, use Google Translate).

====
POC
====

http://www.exploit-db.com/sploits/19089.rar

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
opentype fontfile formatdenial of servicezero day vulnerabilitykernel-mode libraryatmfd.dllpostscript-basedwindows xpserver 2003vistawindows 7server 2008bsodcpu overagemsfontsfuzzexploit database
11